Re: [OAUTH-WG] OAuth 2.0 Resource Registration draft -- FW: New Version Notification for draft-hardjono-oauth-resource-reg-00.txt

[Eve Maler <eve@xmlgrrl.com>]

Amanda, thanks for the lightning-fast comments back. A couple of additional notes on top of Thomas's response:

The "scope type" language is indeed new this time -- of course this whole modular spec is newly broken out, but the previous text from UMA's rev 05 still said "scope". (There's a new member in the JSON description of a resource set that is called "type", but this is actually the resource set's type: different thing.) Maybe this should just be changed back to "scope" and "scope description", as we really do mean the same construct as in plain OAuth, although here it's enhanced with a machine-readable description, and it's mappable to resource sets that have been explicitly identified. One thing we've been learning lately is that terminology impedance mismatches are not worth the cost; this one is a recent back-sliding. :)

Regarding the sentence "Without a specific resource set identifier path component, the URI applies to the set of resource set descriptions already registered." in Section 2.3: I suspect this can just be deleted entirely. It's redundant with the "List resource set registrations" bullet item just below, which literally shows the {rsid} component of the path being absent. This is the only supported method in this API that has no {rsid} path component.

Regarding {rsreguri}: I do see it defined, in this same Section 2.3. Basically this notation is simply a device to allow for referring to a "resource set registration endpoint" (defined in the Terminology section) in the URIs here that serve as method templates. Is there a better way to do this?

	Eve

On 27 Dec 2012, at 4:37 PM, Thomas Hardjono <hardjono@mit.edu> wrote:

> Thanks Amanda,
> 
> - Scope and types:  We went back and forth with regards to "scope type" and finally just used "type" with the assumption that the reader would know what we mean by it (ie. context dependent).  However, we're very open to going back to the previous language.
> 
> - Resource set registration: yes that sentence does read weirdly, will fix :-)
> 
> - Resource set registration API:  If Alice (the RO) has already previously registered some resources at the AS, then Alice will already have a PAT token (and the AS knows about Alice, her PAT, her resource sets and scopes). If Alice comes back again with the same PAT and forgets to specificy the path component, we assume the AS is smart enough to figure out which sets Alice is refering to. Does this help? (or does it still read weirdly).
> 
> - The {rsreguri} URI component is defined but never used: hmm yes you are correct. Will fix this.
> 
> 
> Thank you again.
> 
> cheers,
> 
> /thomas/
> 
> __________________________________________
> 
> 
>> -----Original Message-----
>> From: Anganes, Amanda L [mailto:aanganes@mitre.org]
>> Sent: Thursday, December 27, 2012 4:57 PM
>> To: Thomas Hardjono; oauth@ietf.org
>> Subject: Re: [OAUTH-WG] OAuth 2.0 Resource Registration draft -- FW:
>> New Version Notification for draft-hardjono-oauth-resource-reg-00.txt
>> 
>> Hi Thomas,
>> 
>> Here is some initial feedback.
>> 
>> Introduction paragraph 2:
>> 
>> Remove duplicate "with": "the OpenID Provider (OP) component is a
>> specialized version of an OAuth authorization server that brokers
>> availability of user attributes by dealing *with with* an ecosystem of
>> attribute providers (APs)."
>> 
>> Section 1.2 Terminology:
>> 
>> This is more of a comment for the UMA WG in general: "scope type" is an
>> unfortunate term (which appears in the UMA core draft [1] as well - if
>> memory serves the term used to be just "scope" but I couldn't find a
>> diff reference for when that changed). Including "type" in the term
>> makes it sound like it refers to a class or kind of scope, which
>> doesn't seem to be what you mean. I understand that "scope" cannot be
>> used since it is already reserved by OAuth, but perhaps a better
>> synonym could be found and used instead?
>> 
>> 2. Resource set registration
>> 
>> 2nd sentence reads oddly. Change from "For any of the resource owner's
>> sets of resources this authorization server needs to be aware of, the
>> resource server MUST register these resource setsŠ" to "If this
>> authorization server needs to be aware of any of the resource sets, the
>> resource server MUST register those resource setsŠ"
>> 
>> 2.2 Resource set descriptions
>> 
>> "scopes" and to refer to sets of "scope type"s and "type" to refer to
>> the class/kind of resource set this is add to the argument above that
>> "scope type" is a misleading term.
>> 
>> 2.3 Resource set registration API
>> 
>> I don't understand what this sentence means: "Without a specific
>> resource set identifier path component, the URI applies to the set of
>> resource set descriptions already registered." Can you clarify?
>> 
>> The {rsreguri} URI component is defined but never used. It looks like
>> all of the "/resource_set" URIs should be prefaced with this component
>> throughout the following sections?
>> 
>> [1] https://datatracker.ietf.org/doc/draft-hardjono-oauth-umacore/
>> 
>> --
>> Amanda Anganes
>> Info Sys Engineer, G061
>> The MITRE Corporation
>> 781-271-3103
>> aanganes@mitre.org
>> 
>> 
>> On 12/27/12 2:24 PM, "Thomas Hardjono" <hardjono@MIT.EDU> wrote:
>> 
>>> Folks,
>>> 
>>> The OAuth 2.0 Resource Set Registration draft is essentially a generic
>>> first phase of the User Managed Access (UMA) profile of OAuth2.0.
>> This
>>> allows the RO to "register" (make known) to the AS the resources
>> he/she
>>> wishes to share.
>>> 
>>> Looking forward to comments/feedback.
>>> 
>>> /thomas/
>>> 
>>> __________________________________________
>>> 
>>> 
>>> -----Original Message-----
>>> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
>>> Sent: Thursday, December 27, 2012 2:07 PM
>>> To: Thomas Hardjono
>>> Subject: New Version Notification for
>>> draft-hardjono-oauth-resource-reg-00.txt
>>> 
>>> 
>>> A new version of I-D, draft-hardjono-oauth-resource-reg-00.txt
>>> has been successfully submitted by Thomas Hardjono and posted to the
>> IETF
>>> repository.
>>> 
>>> Filename:        draft-hardjono-oauth-resource-reg
>>> Revision:        00
>>> Title:           OAuth 2.0 Resource Set Registration
>>> Creation date:   2012-12-27
>>> WG ID:           Individual Submission
>>> Number of pages: 19
>>> URL:
>>> http://www.ietf.org/internet-drafts/draft-hardjono-oauth-resource-reg-
>> 00.t
>>> xt
>>> Status:
>>> http://datatracker.ietf.org/doc/draft-hardjono-oauth-resource-reg
>>> Htmlized:
>>> http://tools.ietf.org/html/draft-hardjono-oauth-resource-reg-00
>>> 
>>> 
>>> Abstract:
>>>  This specification defines a resource set registration mechanism
>>>  between an OAuth 2.0 authorization server and resource server.  The
>>>  resource server registers information about the semantics and
>>>  discovery properties of its resources with the authorization
>> server.
>>> 
>>> 
>>> 
>>> 
>>> The IETF Secretariat
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl